Can I use Semgrep as a CLI?

Yes. KosmoKrator exposes a Semgrep CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose Semgrep through MCP?

Yes. The KosmoKrator MCP gateway can expose selected Semgrep tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are Semgrep credentials stored?

Semgrep credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for Semgrep MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

data

Semgrep CLI for AI Agents

Use the Semgrep CLI from KosmoKrator to call Semgrep tools headlessly, return JSON, inspect schemas, and automate workflows from coding agents, scripts, and CI.

Semgrep CLI Setup

Semgrep can be configured headlessly with `kosmokrator integrations:configure semgrep`.

Install, configure, and verify

# Install KosmoKrator first if it is not available on PATH.
curl -fsSL https://raw.githubusercontent.com/OpenCompanyApp/kosmokrator/main/install.sh | bash

# Configure and verify this integration.
kosmokrator integrations:configure semgrep --set api_token="$SEMGREP_API_TOKEN" --enable --read allow --write ask --json
kosmokrator integrations:doctor semgrep --json
kosmokrator integrations:status --json

Credentials

Authentication type: API token api_token. Configure credentials once, then reuse the same stored profile from scripts, coding CLIs, Lua, and MCP.

Key	Env var	Type	Required	Label
`api_token`	`SEMGREP_API_TOKEN`	Secret `secret`	yes	API Token
`url`	`SEMGREP_URL`	URL `url`	no	API Base URL

Command Patterns

The generic command is stable across every integration. The provider shortcut is shorter for humans.

Generic CLI call

kosmo integrations:call semgrep.semgrep_misc_service_get_bootstrap_sms_vpc '{}' --json

Provider shortcut

kosmo integrations:semgrep semgrep_misc_service_get_bootstrap_sms_vpc '{}' --json

Discovery

These commands return structured output for coding agents that need to inspect capabilities before choosing a function.

Discovery commands

kosmo integrations:docs semgrep --json
kosmo integrations:docs semgrep.semgrep_misc_service_get_bootstrap_sms_vpc --json
kosmo integrations:schema semgrep.semgrep_misc_service_get_bootstrap_sms_vpc --json
kosmo integrations:search "Semgrep" --json
kosmo integrations:list --json

Automation Contexts

The same configured command surface works in these environments. The command does not change unless the host wrapper, credentials, or permissions change.

CI Run integration calls from CI jobs with JSON output, explicit credentials, and predictable exit status. Cron Jobs Schedule repeatable integration workflows from cron while keeping credentials in KosmoKrator config. Shell Scripts Call integration functions from shell scripts with stable JSON input and output. Headless Automation Use KosmoKrator as a non-interactive integration runtime for local automations and wrappers. Coding Agents Let coding agents discover schemas and execute integration functions through CLI commands or MCP.

CLI Functions

Every function below can be called headlessly. Commands are highlighted, copyable, and scroll horizontally when payloads are long.

`semgrep.semgrep_misc_service_get_bootstrap_sms_vpc`

[Beta] Get SMS VPC Bootstrap CloudFormation Template Official Semgrep Web API endpoint: GET /api/v1/bootstrap-sms-vpc VPC support for Managed Scans is in private beta. Returns the Managed Scans VPC Bootstrap CloudFormation template in JSON

Read read

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_misc_service_get_bootstrap_sms_vpc '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_misc_service_get_bootstrap_sms_vpc '{}' --json

`semgrep.semgrep_deployments_service_list_deployments`

List deployments Official Semgrep Web API endpoint: GET /api/v1/deployments Request the deployments your auth can access. Currently available auth scope does not extend over more than one deployment. This endpoint returns the single deploym

Read read

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_deployments_service_list_deployments '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_deployments_service_list_deployments '{}' --json

`semgrep.semgrep_supply_chain_service_list_dependencies`

List dependencies Official Semgrep Web API endpoint: POST /api/v1/deployments/{deploymentId}/dependencies

Write write

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_supply_chain_service_list_dependencies '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_supply_chain_service_list_dependencies '{}' --json

`semgrep.semgrep_supply_chain_service_list_repositories_for_dependencies`

List repositories with dependencies Official Semgrep Web API endpoint: POST /api/v1/deployments/{deploymentId}/dependencies/repositories

Write write

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_supply_chain_service_list_repositories_for_dependencies '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_supply_chain_service_list_repositories_for_dependencies '{}' --json

`semgrep.semgrep_supply_chain_service_list_lockfiles_for_dependencies`

List lockfiles in a given repository with dependencies Official Semgrep Web API endpoint: POST /api/v1/deployments/{deploymentId}/dependencies/repositories/{repositoryId}/lockfiles

Write write

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_supply_chain_service_list_lockfiles_for_dependencies '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_supply_chain_service_list_lockfiles_for_dependencies '{}' --json

`semgrep.semgrep_policies_service_list_policies`

List policies Official Semgrep Web API endpoint: GET /api/v1/deployments/{deploymentId}/policies

Read read

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_policies_service_list_policies '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_policies_service_list_policies '{}' --json

`semgrep.semgrep_policies_service_list_policy_rules`

List policy rules Official Semgrep Web API endpoint: GET /api/v1/deployments/{deploymentId}/policies/{policyId}

Read read

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_policies_service_list_policy_rules '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_policies_service_list_policy_rules '{}' --json

`semgrep.semgrep_policies_service_update_policy`

Update policy Official Semgrep Web API endpoint: PUT /api/v1/deployments/{deploymentId}/policies/{policyId}

Write write

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_policies_service_update_policy '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_policies_service_update_policy '{}' --json

`semgrep.semgrep_supply_chain_service_create_sbom_export`

Create a new SBOM export job Official Semgrep Web API endpoint: POST /api/v1/deployments/{deploymentId}/sbom/export

Write write

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_supply_chain_service_create_sbom_export '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_supply_chain_service_create_sbom_export '{}' --json

`semgrep.semgrep_supply_chain_service_get_sbom_export`

Get the status of a SBOM export job Official Semgrep Web API endpoint: GET /api/v1/deployments/{deploymentId}/sbom/export/{taskToken}

Read read

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_supply_chain_service_get_sbom_export '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_supply_chain_service_get_sbom_export '{}' --json

`semgrep.semgrep_scans_service_get_scan`

Get scan details Official Semgrep Web API endpoint: GET /api/v1/deployments/{deploymentId}/scan/{scanId} Request the details of a scan including the associated deployment, repository, and commit information.

Read read

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_scans_service_get_scan '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_scans_service_get_scan '{}' --json

`semgrep.semgrep_scans_service_search_scans`

List scans (beta) Official Semgrep Web API endpoint: POST /api/v1/deployments/{deploymentId}/scans/search List the scans associated with a particular repository over the past 30 days.

Write write

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_scans_service_search_scans '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_scans_service_search_scans '{}' --json

`semgrep.semgrep_secrets_service_list_secrets_path`

List secrets Official Semgrep Web API endpoint: GET /api/v1/deployments/{deploymentId}/secrets

Read read

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_secrets_service_list_secrets_path '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_secrets_service_list_secrets_path '{}' --json

`semgrep.semgrep_ticketing_service_delete_ticket`

Unlink a Jira ticket Official Semgrep Web API endpoint: DELETE /api/v1/deployments/{deploymentId}/ticketing/v2/tickets/{externalTicketId} Unlink a Jira ticket by its ID

Write write

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_ticketing_service_delete_ticket '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_ticketing_service_delete_ticket '{}' --json

`semgrep.semgrep_ticketing_service_link_ticket`

Link an existing ticket to findings Official Semgrep Web API endpoint: POST /api/v1/deployments/{deploymentId}/tickets/link Link an existing external ticket (e.g. Jira) to one or more Semgrep findings by providing the ticket URL and a list

Write write

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_ticketing_service_link_ticket '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_ticketing_service_link_ticket '{}' --json

`semgrep.semgrep_ticketing_service_unlink_ticket`

Unlink a ticket from findings Official Semgrep Web API endpoint: POST /api/v1/deployments/{deploymentId}/tickets/unlink Remove the ticket association from one or more Semgrep findings by providing a list of finding IDs. This does not delete

Write write

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_ticketing_service_unlink_ticket '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_ticketing_service_unlink_ticket '{}' --json

`semgrep.semgrep_findings_service_list_findings`

List code, supply chain, or AI-powered scan findings Official Semgrep Web API endpoint: GET /api/v1/deployments/{deploymentSlug}/findings Request the list of code, supply chain, or AI-powered scan findings in an organization, paginated in p

Read read

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_findings_service_list_findings '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_findings_service_list_findings '{}' --json

`semgrep.semgrep_projects_service_list_projects`

List all projects Official Semgrep Web API endpoint: GET /api/v1/deployments/{deploymentSlug}/projects Request the list of projects that have been scanned or onboarded to Managed Scans. Does not return archived repositories. Returns 100 pro

Read read

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_projects_service_list_projects '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_projects_service_list_projects '{}' --json

`semgrep.semgrep_projects_service_get_project`

Get project details Official Semgrep Web API endpoint: GET /api/v1/deployments/{deploymentSlug}/projects/{projectName} Retrieve details for a single project associated with a deployment that you have access to.

Read read

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_projects_service_get_project '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_projects_service_get_project '{}' --json

`semgrep.semgrep_projects_service_update_project`

Update project details Official Semgrep Web API endpoint: PATCH /api/v1/deployments/{deploymentSlug}/projects/{projectName} Update attributes for the project using the value passed in to the request body. Note: The only attribute that is su

Write write

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_projects_service_update_project '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_projects_service_update_project '{}' --json

`semgrep.semgrep_projects_service_delete_project`

Delete project Official Semgrep Web API endpoint: DELETE /api/v1/deployments/{deploymentSlug}/projects/{projectName} Delete a project for a deployment you have access to. This will also delete all of the associated findings.

Write write

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_projects_service_delete_project '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_projects_service_delete_project '{}' --json

`semgrep.semgrep_projects_service_toggle_project_managed_scan`

Toggle Managed Scans for a project Official Semgrep Web API endpoint: PATCH /api/v1/deployments/{deploymentSlug}/projects/{projectName}/managed-scan Enable or disable [Semgrep Managed Scans](/docs/deployment/managed-scanning/overview) for a

Write write

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_projects_service_toggle_project_managed_scan '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_projects_service_toggle_project_managed_scan '{}' --json

`semgrep.semgrep_projects_service_add_project_tags`

Add tags to project Official Semgrep Web API endpoint: PUT /api/v1/deployments/{deploymentSlug}/projects/{projectName}/tags Add tags to a project for a deployment you have access to. Any project tags that do not already exist for the deploy

Write write

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_projects_service_add_project_tags '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_projects_service_add_project_tags '{}' --json

`semgrep.semgrep_projects_service_delete_project_tags`

Remove tags from project Official Semgrep Web API endpoint: DELETE /api/v1/deployments/{deploymentSlug}/projects/{projectName}/tags Remove tags from a project for a deployment you have access to. This request will not delete project tags fr

Write write

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_projects_service_delete_project_tags '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_projects_service_delete_project_tags '{}' --json

`semgrep.semgrep_ticketing_service_create_ticket`

Create Jira tickets Official Semgrep Web API endpoint: POST /api/v1/deployments/{deploymentSlug}/tickets Create Jira tickets for your findings. You can create tickets by passing in a list of issue_ids or by passing in filter query parameter

Write write

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_ticketing_service_create_ticket '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_ticketing_service_create_ticket '{}' --json

`semgrep.semgrep_triage_service_bulk_triage`

Bulk triage Official Semgrep Web API endpoint: POST /api/v1/deployments/{deploymentSlug}/triage Bulk triage your findings. You can select the findings to triage by passing in a list of finding IDs as issue_ids, or by passing in filter query

Write write

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_triage_service_bulk_triage '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_triage_service_bulk_triage '{}' --json

`semgrep.semgrep_misc_service_ping`

Ping Official Semgrep Web API endpoint: GET /api/v1/ping Use to ping the server and assert liveness.

Read read

Parameters: none

Generic call

kosmo integrations:call semgrep.semgrep_misc_service_ping '{}' --json

Shortcut

kosmo integrations:semgrep semgrep_misc_service_ping '{}' --json

Function Schemas

Use these parameter tables when building CLI payloads without calling integrations:schema first.

semgrep.semgrep_misc_service_get_bootstrap_sms_vpc 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_misc_service_get_bootstrap_sms_vpc --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_deployments_service_list_deployments 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_deployments_service_list_deployments --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_supply_chain_service_list_dependencies 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_supply_chain_service_list_dependencies --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_supply_chain_service_list_repositories_for_dependencies 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_supply_chain_service_list_repositories_for_dependencies --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_supply_chain_service_list_lockfiles_for_dependencies 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_supply_chain_service_list_lockfiles_for_dependencies --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_policies_service_list_policies 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_policies_service_list_policies --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_policies_service_list_policy_rules 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_policies_service_list_policy_rules --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_policies_service_update_policy 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_policies_service_update_policy --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_supply_chain_service_create_sbom_export 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_supply_chain_service_create_sbom_export --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_supply_chain_service_get_sbom_export 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_supply_chain_service_get_sbom_export --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_scans_service_get_scan 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_scans_service_get_scan --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_scans_service_search_scans 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_scans_service_search_scans --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_secrets_service_list_secrets_path 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_secrets_service_list_secrets_path --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_ticketing_service_delete_ticket 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_ticketing_service_delete_ticket --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_ticketing_service_link_ticket 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_ticketing_service_link_ticket --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_ticketing_service_unlink_ticket 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_ticketing_service_unlink_ticket --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_findings_service_list_findings 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_findings_service_list_findings --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_projects_service_list_projects 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_projects_service_list_projects --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_projects_service_get_project 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_projects_service_get_project --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_projects_service_update_project 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_projects_service_update_project --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_projects_service_delete_project 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_projects_service_delete_project --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_projects_service_toggle_project_managed_scan 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_projects_service_toggle_project_managed_scan --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_projects_service_add_project_tags 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_projects_service_add_project_tags --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_projects_service_delete_project_tags 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_projects_service_delete_project_tags --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_ticketing_service_create_ticket 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_ticketing_service_create_ticket --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_triage_service_bulk_triage 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_triage_service_bulk_triage --json

Parameter	Type	Required	Description
No parameters.

semgrep.semgrep_misc_service_ping 0 parameters

Schema command

kosmo integrations:schema semgrep.semgrep_misc_service_ping --json

Parameter	Type	Required	Description
No parameters.

Permissions

Headless calls still follow the integration read/write permission policy. Configure read/write defaults with integrations:configure. Add --force only for trusted automation that should bypass that policy.